ContainerOS is an operating system that Alibaba Cloud provides for containerized development. ContainerOS is fully compatible with Kubernetes. ContainerOS is based on Alibaba Cloud Linux 3 and provides enhanced security, faster startup, and simplified system services and software packages. ContainerOS is pre-installed with components to provide out-of-the-box features in cloud-native scenarios. This topic describes the applicable scope, basic information, features, benefits, and security considerations of ContainerOS.
Limits
ContainerOS can be used only in node pools in Container Service for Kubernetes (ACK) clusters and supports only the containerd runtime. For more information, see Create an ACK managed cluster.
ContainerOS supports only Kubernetes 1.24.6 or later. For more information about how to update the Kubernetes version of an existing cluster, see Manually update ACK clusters.
You cannot use ContainerOS in GPU-accelerated instances and Arm-based instances.
Introduction to ContainerOS
Due to the rapid development of cloud-native technologies, containerization is widely adopted to deploy applications. The emergence of cloud-native components, such as container runtimes and Kubernetes components, allows you to focus on application development and eliminates the need to manage and maintain the underlying infrastructure. In order to support more scenarios, traditional operating system distributions are pre-installed with user space tools, software packages, and system services. This significantly increases the size of operating systems, slows down operating system startups, and poses challenges to the O&M of operating systems. These challenges include the management of software packages and software versions. To improve the compatibility of traditional operating systems in cloud-native scenarios and improve the user experience of ACK, ACK provides ContainerOS, an operating system specialized for containerized development.
Compared with traditional operating systems, ContainerOS is a lightweight node operating system that uses a modular architecture. With ContainerOS, you can launch containers faster and run containers with higher efficiency. In addition, ContainerOS provides enhanced security and requires less computing resources, which makes ContainerOS ideal for cloud computing and large-scale deployments. These benefits provide better user experience.
Features
Feature | Description |
Simplified operating system images | ContainerOS contains only the software packages and system services that are required for running pods. The integration and optimization of the entire system enable ContainerOS to start up much faster than other operating systems. ContainerOS contains approximately 200 software packages, while common operating systems such as Alibaba Cloud Linux 3, Alibaba Cloud Linux 2, and CentOS come with around 600 pre-installed software packages by default.
ContainerOS does not support Python and does not allow you to directly log on by using SSH. ContainerOS provides out-of-the-box features that you can use without additional configurations. You can focus on application development without the need to maintain the operating system. |
Fast startup | ContainerOS provides end-to-end integration and optimization, which greatly accelerates the startup and reduces the time required for adding nodes to ACK clusters. The startup of ContainerOS is simplified. Key cluster control components are pre-installed in the image of ContainerOS to save the need to pull images of these components during node initialization. These features, along with an optimized ACK control link, greatly reduce the time required for adding nodes to ACK clusters. The following figure shows the startup duration of different operating systems. When you use ContainerOS to deploy 1,000 nodes, it requires 53 seconds for 90% of the nodes to reach the Ready state. The startup duration is significantly shorter than the startup duration of nodes when CentOS or Alibaba Cloud Linux 2 is used to deploy nodes. For more information, see Use ContainerOS to quickly scale out nodes.  Important The values provided in the preceding figure are only theoretical values. The actual values may vary based on the service optimization and your environment. |
Security enhancement | The root file system of ContainerOS is read-only. You have read and write permissions only on the /etc and /var directories. This allows you to configure some basic system configurations. This way, ContainerOS complies with the principle of immutable infrastructure and prevents container escapes and unauthorized operations on the host file system. ContainerOS does not allow you to directly log on to the system and perform untraceable operations. However, ContainerOS provides a container that you can use to meet your O&M requirements. For more information about how to use the administrative container, see Work with the administrative container of ContainerOS. |
Atomic update | ContainerOS complies with the principle of immutable infrastructure, and does not support Yellowdog Updater Modified (YUM) package management tools. ContainerOS supports updates and rollbacks of operating system image versions (by replacing system disks) and provides the limited tiered hot update feature. This ensures the consistency of software versions and system configurations among nodes. Each ContainerOS image must pass strict tests before it is released. Compared with traditional updates that are based on Red Hat Package Manager (RPM) packages, updates based on operating system images ensure higher system stability after updates are completed. |
Benefits
Benefit | Description |
Specialization in containerized development | ContainerOS is specialized for containerized development and provides benefits such as fast startup, security enhancement, and immutable root file systems. These benefits provide improved performance, facilitate cluster O&M and management, and ensure consistency among nodes. |
Fast scale-out | With internal optimization and optimization for ACK control planes, ContainerOS greatly reduces the time required for scaling out ACK clusters. The time required for adding nodes to a cluster accounts for more than 90% of the E2E time required for scaling out the cluster. If you use ContainerOS as the node operating system, the E2E time required for scaling out ACK clusters will be greatly reduced. |
High O&M capability | ContainerOS is integrated with the ACK control plane to allow you to update Kubernetes versions and system software versions and fix CVE vulnerabilities by updating operating system image versions. Compared with Alibaba Cloud Linux 2, which uses images pre-installed with components to accelerate node initialization, ContainerOS provides automated O&M and CVE patching. This frees you from image maintenance and node O&M, and greatly simplifies your work in using ACK clusters. ContainerOS is optimized for ACK. ContainerOS can greatly reduce service downtime caused by node O&M activities in order to ensure the stability of your businesses. |
Compatibility with Alibaba Cloud Linux 3 | The kernel versions and most software versions of ContainerOS are the same as those of Alibaba Cloud Linux 3. ContainerOS uses Linux Kernel 5.10 LTS, the latest Linux kernel version. This provides the latest Linux features for applications. For more information about Alibaba Cloud Linux 3, see Overview. |
Security considerations
ContainerOS complies with the following design principles to enhance security.
Operating system security
Minimized execution environment
ContainerOS contains only the software packages and system services required in containerization scenarios. ContainerOS contains more than 210 software packages. Fewer software packages means fewer CVE vulnerabilities, which improves system security. ContainerOS removes software packages with high-risk CVE vulnerabilities, such as binutils, Python, OpenSSH, and tcpdump, to minimize the script execution environment. In addition, ContainerOS does not support the execution of Python, Perl, or Ruby scripts.
Immutable root file system
ContainerOS does not support package management software such as YUM. Only RPM-OSTree can be used for traceable operating system updates and rollbacks. The root file system /and the core directory /usr (the directory where binary and dynamic libraries are stored) are read-only. /etc (the dynamic configuration directory) and the /var (the directory where logs and container images are stored) remain writable.
The following table describes different paths in the file system, the attributes of the paths, and suggestions on how to use the paths.
Path | Attribute | Description |
| Read-only Executable | The root file system |
| Writable Stateful | This path includes system configuration files, such as custom systemd service files and custom software settings. The custom configuration files in this directory are retained after you update the system. |
| Writable Stateful | This path is used for storing directories that are required for running certain components (such as |
| Writable Stateful | These paths are symbolically linked to the |
| Writable Stateless | This path is mounted to a temporary file system (TMPFS) file system, which can be used to store temporary files required by the system. The data is cleared after you restart the system. |
Modes for accessing an instance that runs ContainerOS
By default, ContainerOS is not installed with the OpenSSH package. Therefore, you cannot log on to an instance that runs ContainerOS through SSH because sshd is unavailable. You can use the following methods to log on to the instance:
Use the administrative container on demand: Run the command in the Cloud Assistant client to launch the administrative container. Log on to the container by using the key pair of the instance. You cannot log on by using a password.
Connect to the instance by using Session Manager: The Web Socket Secure (WSS) protocol is used to establish persistent WebSocket connections between Session Manager Client and the Cloud Assistant server, as well as between the Cloud Assistant server and Cloud Assistant Agent. The WSS protocol encrypts persistent WebSocket connections by using the SSL protocol to ensure security.
Infrastructure security
Software package system based on Alibaba Cloud Linux
Alibaba Cloud Linux is a Linux operating system distribution developed by Alibaba Cloud. It is the most widely adopted operating system distribution of Alibaba Cloud. ContainerOS is optimized based on Alibaba Cloud Linux, various cloud computing scenarios, and years of experience in building software packages and images based on Alibaba Cloud Linux. Before ContainerOS is released, Alibaba Cloud performs basic tests and ACK integration tests to ensure the availability and security of ContainerOS.
Continuous vulnerability scanning and patching
You can use ContainerOS in a managed node pool of ACK to automatically diagnose and fix node exceptions and patch CVE vulnerabilities. This ensures the availability and security of nodes.
Billing
ContainerOS is free of charge. You can use ContainerOS free of charge in node pools in ACK clusters. ACK provides long-term free technical support for ContainerOS.
You are charged for resources that are used together with ContainerOS, such as vCPUs, memory, storage, public bandwidth, and snapshots. For more information about the billing of other resources, see Billing overview.
References
For more information about how to use ContainerOS as the operating system of a node pool, see Use ContainerOS.
ContainerOS has accelerated operating system startups and image pulling to improve the efficiency of node scale-outs for ACK. For more information, see Use ContainerOS to quickly scale out nodes.
For more information about how to work with the administrative container of ContainerOS, such as accessing the host environment and stopping, restarting, or deleting the administrative container, see Work with the administrative container of ContainerOS.
For more information about the release notes for the ContainerOS image, see Release notes for OS images.